I'm using winexe to communicate with Windows running inside a virtual machine on my Linux system, to perform various test scenarios. I really don't want to have to be root to start the VMs.
When I start my Linux virtual machines, which I control with SSH, I simply map the SSH port (22) to a different, non-reserved port (>1024; say 19000). So I can start the VM without requiring root privileges. Then I use ssh -p 19000 ... when I want to ssh to the VM, and it works great.
But I cannot find a way to have winexe choose a different port than the default (I'm not sure what the default port is, actually; does it use 445 like SMB?). Is there a way to do it?
Note I cannot run an SSH server on Windows; because of my test environment requirements I can't add an SSH server to the virtual machines. Plus even if I were allowed I've had nothing but pain trying to get an SSH server to work reliably on Windows.
Winexe source code shows that the client-server communications happen over SMB in named pipes. As if you would write into unix pipes over nfs.
This results that it is very unlikely, that you can change the port. Maybe you can do that on the Linux side, but you have probably no way to do that in your Windows VM.
Related
Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
I have a problem setting up a ipython cluster on a Windows server and connecting to this ipcluster using a ssh connection. I tried following the tutorial on https://ipython.org/ipython/doc/dev/parallel/parallel_process.html#ssh, but I have problems to understand what the options mean exactly and what parameters are to use exactly...
Could anyone help a total noob to set up an ipcluster? (Let's say the remote machine has ip 192.168.0.1 and the local machine has 192.168.0.2)
If you scroll roughly to the middle of the page https://ipython.org/ipython-doc/dev/parallel/parallel_process.html#ssh you will find this:
Current limitations of the SSH mode of ipcluster are:
Untested and unsupported on Windows. Would require a working ssh on Windows. Also, we are using shell scripts to setup and execute
commands on remote hosts.
That means, there is no easy way to build an ipcluster with ssh connection on windows (if it works at all).
Do you really need to connect the machines with an ssh connection? I guess it's possible with a ssh client on each windows machine, but if you are in a trusted local network you can also decide not to use the loopback interface and just expose the ports...
Sure you can start controller and engine separately! For further examples about ports (if you have problems with firewalls) see also How to setup ssh tunnel for ipython cluster (ipcluster)
I'm working on a project that requires me to run my code on a remote Unix server, that is not available to connect to directly (you first have to log in to the "gate" node and then to this server).
What's really bad is that they disabled key authentication, so each time I need to ssh into it, I have to type in my password twice. It's really annoying and I wonder what's the best way to transfer my local modifications of source files to this server, compile and run them without having to provide those passwords so many times.
I have no sudo access to any of those servers (neither to this "gate", nor to this target server). Any ideas on how to make the whole process more efficient?
EDIT: Martin Prikryl provided a great answer below, but it's suitable for Windows and I'm on a Mac :) I guess it might be a good thing to have it documented here also for *NIX systems.
You are looking for SSH tunneling.
WinSCP SFTP client supports one-hop SSH tunneling natively.
See the Tunnel page on WinSCP Advanced Site Settings dialog.
I assume that after you transfer the file, you need to open SSH terminal to compile the file.
You may be able to make use of WinSCP Console window for that step.
Alternatively, if you need/want to use a real SSH terminal client, make use of an existing SSH tunnel, created by WinSCP, and connect with PuTTY (or any other SSH client) over it.
In the Local tunnel port of WinSCP Tunnel page, select a fixed port number (instead of the default Autoselect). In PuTTY enter "localhost" to Host Name and the selected port in Port.
(I'm the author of WinSCP)
I want to install a number of raspberry pis at remote locations and be able to log in to them remotely. (Will begin with 30-40 boxes and hopefully grow to 1000 individual raspberry pis soon.)
I need to be able to remotely manage these boxes. Going the easier route, forwarding a port on the router and setting a DHCP reservation, requires either IT support from the company we'll be doing the install for (many of which don't have IT), or it will require one of our IT people physically installing each box.
My tentative solution is to have each box create a reverse SSH tunnel to our server. My question is: How feasible would this be? How easy would it be to manage that many connections? Would it be an issue for a small local server to have 1000+ concurrent SSH connections? Is there an easier solution to this problem?
My end goal is to be able to ship someone a box, have them plug it in, and be able to access it.
Thanks,
w
An alternate solution would be to:
Install OpenVPN server on your server machine. How to install OpenVPN Server on the PI. Additionally, add firewall rules that block everything but traffic directed for the client's ssh and other services ports (if desired), from administrating machine(s).
Run OpenVPN clients on your Raspberry PI client machines. They will connect back to your VPN server. On a side note, the VPN server and administrating machine(s) need not be the same machine if resources are limited on the VPN server. How to install OpenVPN on the client Raspberry PIs.
SSH from administrating machine(s) to each client machine. Optionally, you could use RSA authentication to simplify authentication.
Benefits include encryption for the tunnel including ssh encryption for administrating, as well as being able to monitor other services on their respective ports.
I made a WebApp to manage this exact same setting in about 60 minutes with my java web template. All I can share are some scripts that I use to list the connection and info about them. You can use those to build your own app, it is really simple to display this in some fancy way in a fast web.
Take a look at my scripts: https://unix.stackexchange.com/a/625771/332669
Those will allow you to get the listening port, as well as the public IPs they're binded from. With that you can easilly plan a system where everything is easilly identificable with a simple BBDD.
You might find this docker container useful https://hub.docker.com/r/logicethos/revssh/
I'd like to use a server between two machines (with no static IP). The only IP known to me is the server's IP address. I'd like to build/use a system that listens to 2 different ports within the server and whatever is received from localhost:portA is sent to localhost:portB and vise versa. Consequently, both machines (with java apps) can communicate through the server in the middle.
Please what is the best solution to do this. I'm working on linux system and I thought of using an SSH java API (hudson / ganymed-ssh-2) to build a port forwarding server application.
Some issue:
1) determining the size of the data transmitted to buffer read or not to forward it to the other port.
2)The speed of reading/writing bytes.
If you can use ssh protocol you can tunnel local or remote ports (this need support on server side). You can also think about an OpenSSH VPN (take a look on ssh -w option, this will create a real VPN (TUN/TAP device is required). ).
You can use the the ssh program. Take a look at the -L and -R options specifically.